X-Frame-Options Header
Resolved
I've received a finding that Yellowfin isn't using X-Frame-Options: DENY in the HTTP Headers.
I've received a finding that Yellowfin isn't using X-Frame-Options: DENY in the HTTP Headers.
Note: Please use the OWASP Secure Headers Filter instead.This can be resolved at the Tomcat level by implementing HTTP Header Security.
For Tomcat 8 (and possibly earlier)
Simply add the following to <YellowfinInstall>/appserver/webapps/ROOT/WEB-INF/web.xml inside the <web-app> tag:
Where $optionHere will signify one of: DENY, SAMEORIGIN, ALLOW-FROM. As documented in the Tomcat Configuration docs.
For Tomcat 9 (and possibly later)
It needs to be included in the web.xml file found in the /appserver/conf directory.In addition to this change, the init-param values need to be contained within the filter block itself (see the example below):
As always, if still facing issues, please let us know and we will provide further guidance.
Regards,
Yellowfin Support Team
Comments have been locked on this page!